Description
The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-12-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary deletion of purchase records via CSRF
Action: Patch Now
AI Analysis

Impact

The Purchase and Expense Manager WordPress plugin contains a Cross‑Site Request Forgery weakness caused by missing nonce validation in the sup_pt_handle_deletion function. This flaw, identified as CWE‑352, permits an unauthenticated attacker to delete any purchase record when a logged‑in site administrator is tricked into submitting a forged request. The impact is loss of data integrity and trust in financial records, while confidentiality and availability are not directly affected.

Affected Systems

Vulnerable installations are those running Purchase and Expense Manager plugin versions up to and including 1.1.2 on any WordPress site.

Risk and Exploitability

The CVSS score of 4.3 categorizes the issue as moderate, and with an EPSS score of fewer than 1 % the probability of exploitation is low, though the vulnerability is listed in no CISA KEV catalog. The likely attack vector remains a CSRF attack that requires a user‑agent trick or social engineering to force an administrator to click a malicious link. Successful exploitation leads to arbitrary deletion of purchase records on the affected site.

Generated by OpenCVE AI on April 20, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Purchase and Expense Manager to the latest stable release to remove the CSRF vulnerability.
  • If an immediate update is not possible, manually modify the sup_pt_handle_deletion function to verify a nonce before performing deletion, ensuring the request originates from a legitimate admin form.
  • Restrict the deletion action so that only users with administrator privileges can access it, and consider disabling the plugin on sites that cannot be patched promptly.

Generated by OpenCVE AI on April 20, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Purchase and Expense Manager <= 1.1.2 - Cross-Site Request Forgery to Arbitrary Purchase Record Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:53.768Z

Reserved: 2025-12-03T17:04:44.930Z

Link: CVE-2025-13987

cve-icon Vulnrichment

Updated: 2025-12-12T18:34:35.528Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:45.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses